Carrier IQ hit with privacy lawsuits as more security researchers weigh in

Carrier IQ has been hit with two class-action lawsuits from users worried …

Carrier IQ, the new poster child for (alleged) smartphone privacy violations, has been hit with two class-action lawsuits from users worried about how the company's software tracks their smartphone activity. Carrier IQ, of course, professes its innocence. But the company has also received some public support from security researchers who say Carrier IQ's software is only tracking diagnostic information and likely is not violating user privacy.

It all began recently with a developer named Trevor Eckhart showing how Carrier IQ software seems to record button presses, search queries and the contents of text messages on an HTC Evo Android phone, with no way for the user to shut the tracking activity off. Carrier IQ initially tried to silence Eckhart with a cease-and-desist letter, but ultimately backed down on the threat in the face of opposition from the Electronic Frontier Foundation.

But Carrier IQ still has legal and publicity problems to handle. One new class-action lawsuit names both Carrier IQ and HTC, accusing the companies of violations under the Federal Wiretap Act. Another lawsuit was filed against Carrier IQ as well as HTC and Samsung, both of which have confirmed installing Carrier IQ software on their smartphones, saying they do so at the request of wireless carriers.

Carrier IQ, speaking to All Things D, said its software doesn't log or understand keystrokes. “The software receives a huge amount of information from the operating system,” Carrier IQ marketing vice president Andrew Coward said. “But just because it receives it doesn’t mean that it’s being used to gather intelligence about the user or passed along to the carrier.”

Coward further said his company's software is used to help carriers diagnose problems. “If there’s a dropped call, the carriers want to know about it,” he said. “So we record where you were when the call dropped, and the location of the tower being used. Similarly, if you send an SMS to me and it doesn’t go through, the carriers want to know that, too. And they want to know why—if it’s a problem with your handset or the network.”

The company also posted a statement on its website saying "Our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen."

Security researchers who spoke to the Los Angeles Times disagreed with the conclusions Eckhart made, saying there's no evidence the diagnostic information collected by Carrier IQ is stored or transmitted.

Virtual Security Research consultant Dan Rosenberg said "I've reverse engineered the software myself at a fairly good level of detail. They're not recording keystroke information, they're using keystroke events as part of the application." What that means, according to the article, is Carrier IQ software knows when a button is pressed, just as your e-mail application knows when you hit reply, but it doesn't record each keystroke or send a record of it to anyone.

Ultimately, how much information is collected on Android phones and what is done with it seems to be up to the carriers. We asked AT&T exactly what information is logged on its phones, where it is sent and how it is used. While we didn't receive a detailed response, AT&T did tell us "In line with our privacy policy, we solely use CIQ software data to improve wireless network and service performance."

We haven't heard back from Sprint, but the company told Computerworld that "We collect enough information to understand the customer experience with devices on our network and how to address any connection problems, but we do not and cannot look at the contents of messages, photos, videos, etc., using this tool."

Ars spoke with Apple yesterday, and we heard much the same thing. While Apple is in the process of phasing Carrier IQ out of iOS, it said "data was sent anonymously, and in encrypted fashion. We did not record keystrokes, messages or any personal information for the diagnostic data, and we have no plans to in the future."

Carrier IQ boasts that its software is deployed on more than 141 million handsets, and has operated for several years without any major level of controversy. Clearly, smartphones would be capable of tracking much of our activity even if Carrier IQ never existed. But the lawsuits filed against Carrier IQ and its customers, and forthcoming responses to Franken's letters, should shed more light on exactly what information is collected and how it is used.

UPDATE: We've just received a statement from Sprint, which says that while it "cannot look at the content of customer messages, e-mails, photos, videos, etc., using the diagnostic tools offered by Carrier IQ," it uses the tool to analyze device and network performance to identify problems and resolve them. Sprint says the data it collects is anonymized and "not sold or provided to anyone outside of Sprint."

Latest Ars Video >

War Stories | Thief: The Dark Project

1998's Thief: The Dark Project was a pioneer for the stealth genre, utilizing light and shadow as essential gameplay mechanics. The very thing that Thief became so well-known for was also the game's biggest development hurdle. Looking Glass Studios founder Paul Neurath recounts the difficulties creating Thief: The Dark Project, and how its AI systems had to be completely rewritten years into development.

War Stories | Thief: The Dark Project

War Stories | Thief: The Dark Project

1998's Thief: The Dark Project was a pioneer for the stealth genre, utilizing light and shadow as essential gameplay mechanics. The very thing that Thief became so well-known for was also the game's biggest development hurdle. Looking Glass Studios founder Paul Neurath recounts the difficulties creating Thief: The Dark Project, and how its AI systems had to be completely rewritten years into development.

Investigation or not, this is not kosher. Carrier IQ and all it's customers need to be held accountable. I agree to allow Google to use my location data and cache it when I use maps. I know they get all that data and can do what they will with it because I agreed to it. I don't agree to a carrier grabbing my location when they feel like it and without my express permission.

Ars spoke with Apple yesterday, and we heard much the same thing. While Apple is in the process of phasing Carrier IQ out of iOS, it said "data was sent anonymously, and in encrypted fashion. We did not record keystrokes, messages or any personal information for the diagnostic data, and we have no plans to in the future."

All the uproar demonstrates at the very least how the public are starting to really pay attention to security concerns and the protection of their privacy. It seems people do take things like this seriously which has not always been the case with their relationship to technologies.

Investigation or not, this is not kosher. Carrier IQ and all it's customers need to be held accountable. I agree to allow Google to use my location data and cache it when I use maps. I know they get all that data and can do what they will with it because I agreed to it. I don't agree to a carrier grabbing my location when they feel like it and without my express permission.

You carrier already knows your location via what cellular tower you're connected to. You will never, ever be able to turn that off and it has been true since even before the age of smartphone+location services.

Ars spoke with Apple yesterday, and we heard much the same thing. While Apple is in the process of phasing Carrier IQ out of iOS, it said "data was sent anonymously, and in encrypted fashion. We did not record keystrokes, messages or any personal information for the diagnostic data, and we have no plans to in the future."

And this is to be believed without question?

Why should they lie about it? It's easy to test if this is true or not.

You know, I actually believe that CIQ is not stupid enough to record people's messages.

But that is irrelevant. In this day and age, anything that smells at all like a privacy violation MUST BE OPT-IN. Opt-out is not good enough. And refusing to even give the customer an option at all is simply unacceptable.

Thank God the general public is starting to wake up to this kinda stuff.

If they are telling the truth, and I highly doubt that, then why the initial Cease and Desist Order? That may go down as one of the worst legal mistakes in history before this thing is said and done. The one action has crippled this company and may ultimately kill it. If Eckhart published his results and the company's response was, "we think you got that wrong, let us show you what we are collecting and how it's used" then it is unlikely anyone would be hearing about this outside of the small community of security researchers and watchdogs.

If what they were doing was so innocuous then why the secrecy? Why not give people a way to opt out? Why not let people know this is going on in the background?

Personally, I have no problem with recording the location of dropped calls or monitoring the battery assuming that information is being aggregated and is not traceable back to me on a user level. But that seems highly unlikely given the way the company chose to deal with this initially. My guess is right now they are doing the digital equivalent of a "shredding party" and we will never know the whole story.

I wonder why the carriers aren't being targeted, as opposed to Carrier IQ? Aren't the carriers the ones who secretly added the software? Granted, the software does questionable things, but it wouldn't being doing jack if, say, my phone company hadn't installed it in the first place. It's not like I installed it thinking it would be protecting my phone, only to find out it was secretly sending private information.

Investigation or not, this is not kosher. Carrier IQ and all it's customers need to be held accountable. I agree to allow Google to use my location data and cache it when I use maps. I know they get all that data and can do what they will with it because I agreed to it. I don't agree to a carrier grabbing my location when they feel like it and without my express permission.

You carrier already knows your location via what cellular tower you're connected to. You will never, ever be able to turn that off and it has been true since even before the age of smartphone+location services.

Yes. The Carrier IQ software's existence without disclosure is ridiculous, but once again people are getting caught up in the controversy of the day and forgetting the barely checked and almost unquestioned power the telecoms and ISPs have over *all* the data we emit. For instance:

I wonder why the carriers aren't being targeted, as opposed to Carrier IQ? Aren't the carriers the ones who secretly added the software? Granted, the software does questionable things, but it wouldn't being doing jack if, say, my phone company hadn't installed it in the first place. It's not like I installed it thinking it would be protecting my phone, only to find out it was secretly sending private information.

Agreed. After all, we blame the ISPs for things like deep packet inspection-based throttling or blocking, not the companies making the products that actually do it.

I wonder why the carriers aren't being targeted, as opposed to Carrier IQ? Aren't the carriers the ones who secretly added the software? Granted, the software does questionable things, but it wouldn't being doing jack if, say, my phone company hadn't installed it in the first place. It's not like I installed it thinking it would be protecting my phone, only to find out it was secretly sending private information.

This point cannot be emphasized enough. As I've noted in previous posts CIQ is a Carrier problem. They saw fit to place an uninstallable piece of spyware on phones. Even if it doesnt act as a keylogger (which still seems in doubt) it definitely is logging https data. I don't want any of the carriers to have bank passwords, cc numbers in any databases. we just had a case where dmv workers were selling peoples' id numbers for marginal amounts of money, you don't think this data would represent a crazy bounty for thieves and hackers? A friggin security disaster waiting to happen, I can't believe anybody thinks it's a bad thing that people are being called to carpet about it.

Oh, and just because some of the data can be used for quality of service improvement doesnt relieve them of culpability when the mechanism that they use to gather that data is A. sketchy as hell B. ripe for exploitation by malware writers C. catching extremely sensitive data alongside it. Hopefully this s**tstorm forces the carriers to release ways of removing ciq from our phones.

Well we know of at least one group that's lying...the "researches" from the times mentioned n the article...how can they claim it's not storing or transmitting data, when even apple admitted it was send encrypted data?

Make it optional, install it as an application, not under the OS. And do an investigation before the lawsuits begin...the last thingwe need is a bunch of lawyers to make 20mil and all the mebers f the class to get a gift certificate for $1.50 (ticket bastard)

It really doesnt seem that bad, but it does have huge potential for abuse. That cmbined with their knee jerk reaction does not look good, but i will withhold judgement until i know the facts.

That said, there is a need for local software to track dropped/failed calls. When we fired ATT in dec 09 they claimed we had 1:4%dropped call rate when users were experiencing 30-50% of our calls failing (this was in the months directly after ATT's 3G turn on) obviously the carrier was not getting records, because the network was over saturated, but they wouldnt admit it.

I think what seems to be missed or ignored is the language that Carrier IQ and the cell phone manufacturers and cell providers are using. They say that it isn't capturing this info. They have not said 'This software is incapable of capturing your information and transmitting it. And if it did, we will not use that functionality'. It has been shown that at least on Android phones, the CarrierIQ processes run with root authority and complete access to the file systems. That means to me that the software has incredible capability that they just have not admitted to or possibly used yet. And hey, all it takes is a device from another manufacturer and police can download all the info on your phone, including everything logged by CarrierIQ. This kind of privacy violation and resulting devices gives way too much information to people who don't need it and don't deserve it.

Trevor Eckhart proves without a doubt that the CarrierIQ app reroutes real-time key events, private user location and data to the debug log files. On the other hand, CarrierIQ and some security researchers think there is no risk.

Meanwhile, the Android Developer community, far more knowledgeable about the Android architecture than CarrierIQ and these security researchers, KNOW WHERE the debug log files are "written", "stored", and "saved" in your mobile devices! Negligence may not help CarrierIQ against the lawsuits that await them in court.

“But just because it receives it doesn’t mean that it’s being used to gather intelligence about the user or passed along to the carrier.”

Yes, of course.

And tomorrow another company wants to install keyloggers on our desktop computers/laptops, or cameras in our houses. After all, simply because those will receive a lot of data doesn't mean that it'll be used to gather information about the owner/resident or passed along to entity XYZ.

Scout's honor, of course.

I mean if you can't even believe the word of a marketing VP, who can you believe?!

Not really sure why people are defending CIQ. We don't know all the facts yet, that's true, but still it looks incredibly sketchy. Why the secrecy? Why make it next to impossible to remove? Why does it appear to be grabbing https info? I don't understand why I'm expected to think this is OK on a phone but if someone had installed the same thing on a desktop it would be classified as malware.

Regardless if it is a privacy concern, its reporting information on me without my consent and while using my very precious phone resources.

If Sprint would like to allow me to control which information is reported, when the application is all lowed to access the internet and maximum allowable bandwidth for the app, along with a larger battery to compensate for the extra power consumption, more RAM and a more powerful CPU to mm for the performance loss; yeah I'd be happy to allow them to have their spyware on my phone.

I assure non-rooted users that removal of CIQ greatly improves both performance and battery life on Android phones.

Interesting situation with US Cellular (#6 cellular provider in the US, operates CDMA network in 26 states), they posted a statement yesterday saying that Carrier IQ has been in the news, but that their customers can relax, they do not use it because they are oh so committed to your privacy.

Funny thing about that, I ran Eckhart's test, and his app said Carrier IQ is in fact installed on my phone, which I got from US Cellular in July 2010. So I basically called US Cellular out on Facebook. They wrote back and said that they just checked with their engineers, who said that it is not on any of their phones.

I think the story between the lines here is that US Cellular used Carrier IQ in 2010 and did not renew their contract in 2011 for whatever reason, and now that Carrier IQ has been ousted, they're proud to declare that none of their current devices (they no longer offer the phone I use) have Carrier IQ.

I suppose I should have nothing to worry about, since if US Cellular isn't working with Carrier IQ, they're not picking up the logs my phone is generating. I'm due up for an upgrade next month, so I see no reason to pay Eckhart $1 to remove it (or $2 to remove it from my phone and my wife's, since it's $1 per phone).

The letter on their web site is most peculiar. For example, they say: <blockquote>“Having examined the Carrier IQ implementation, it is my opinion that allegations of keystroke collection or other surveillance of mobile device user’s content are erroneous,” asserts Rebecca Bace of Infidel, Inc., a respected security expert.</blockquote>

But nowhere do THEY say they don't log keystrokes; they just quote someone else's opinion of what they do. WTF???

This is why too much free time is a risk. The mind, like the body starved of food, begins feeding on itself when it doesn't have enough to occupy its prodigious capabilities. Folks without enough to do will find scary shadows in their closets.

Litmus test questions:1. can the device work without Career IQ software?2. do users know it exists; do they see it as a regular app? an icon perhaps?3. do they know what does it do?4. can they switch it off?5. is it being used to make profit for someone?6. is it being used to make business decisions for someone? 7. Did the carriers give any reason when they asked you (htc, samsung) to install this software? Do you accept anything the carriers ask you to install? 8. Did you question the carriers why this software needs to be installed?9. Do you (htc, samsung) know what this software does?

1. Absolutely. My noCIQ series of mods removes it from Samsung Android devices.2. If they're savvy, and know where to look. It can be seen on Samsung devices under Settings > Applications > Running Services as "IQAgent Service".3. No, they absolutely don't, unless they've read information published on it by TrevE, myself, or Mr. Rosenberg. I don't consider the carrier statements or lame PR statements from CIQ to be credible. Statements made by VP of Marketing Andrew Coward have been more credible. Reporters in the blogosphere have told me that he's been fairly forthcoming.4. At best, the service can be killed, but the process still runs. Otherwise, one must root their phone (thus voiding the warranty).5. Other than Carrier IQ, Inc.?6. No, because software can't do that. Only humans can make business decisions. Does it supply data that's used in the process of making business decisions? Yes.8. I'm not sure who's being addressed here, but I've posed questions to Samsung and Sprint. Never got replies. Sprint has stated publicly that they use it to "improve network quality". Perhaps that's one function.9. HTC and Samsung do know how it works, and what it does, as does the carrier. HTC and Samsung have unique implementations, different from each other, and different from the "stock" CIQ client. A Samsung representative once intimated to me that they would not use CIQ software on their devices if they were not instructed to by Sprint (and others - Sprint was the subject at the time). I have also been told that CIQ is known well by persons in Google's hierarchy.

I'm not sure a class action suit could succeed. CarrierIQ was providing a service which the carriers (and Apple/HTC/Samsung/et. al.) voluntarily used. Any successful legal action would probably have to be against the carriers and/or phone vendors.

One might as well be suing ARM for providing the CPU designs which the spyware ran on.